Fix parsing of GET SAML logout requests

Roman_Dyndyn · marcusdacoregio · commit a884a45cb7b3 · 2023-10-16T08:01:05.000-03:00
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java
@@ -200,7 +200,7 @@ private Saml2LogoutRequestValidatorParameters logoutRequestByRegistration(HttpSe
 	}
 
 	private String inflateIfRequired(HttpServletRequest request, byte[] b) {
-		if (HttpMethod.GET.equals(request.getMethod())) {
+		if (HttpMethod.GET.matches(request.getMethod())) {
 			return Saml2Utils.samlInflate(b);
 		}
 		return new String(b, StandardCharsets.UTF_8);
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java
@@ -115,6 +115,21 @@ void saml2LogoutResolveWhenUnauthenticatedThenParameters() {
 		assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded);
 	}
 
+	@Test
+	void saml2LogoutResolveWhenUnauthenticatedGetRequestThenInflates() {
+		String registrationId = this.registration.getRegistrationId();
+		MockHttpServletRequest request = get("/logout/saml2/slo");
+		String logoutRequest = serialize(TestOpenSamlObjects.logoutRequest());
+		String encoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(logoutRequest));
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, encoded);
+		given(this.registrations.findUniqueByAssertingPartyEntityId(TestOpenSamlObjects.ASSERTING_PARTY_ENTITY_ID))
+			.willReturn(this.registration);
+		Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, null);
+		assertThat(parameters.getAuthentication()).isNull();
+		assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
+		assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded);
+	}
+
 	@Test
 	void saml2LogoutRegistrationIdResolveWhenNoMatchingRegistrationIdThenSaml2Exception() {
 		MockHttpServletRequest request = post("/logout/saml2/slo/id");
@@ -129,6 +144,12 @@ private MockHttpServletRequest post(String uri) {
 		return request;
 	}
 
+	private MockHttpServletRequest get(String uri) {
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", uri);
+		request.setServletPath(uri);
+		return request;
+	}
+
 	private String serialize(XMLObject object) {
 		try {
 			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(object);

Original file line number	Diff line number	Diff line change
`@@ -200,7 +200,7 @@ private Saml2LogoutRequestValidatorParameters logoutRequestByRegistration(HttpSe`
`200`	`200`	`}`
`201`	`201`
`202`	`202`	`private String inflateIfRequired(HttpServletRequest request, byte[] b) {`
`203`		`- if (HttpMethod.GET.equals(request.getMethod())) {`
	`203`	`+ if (HttpMethod.GET.matches(request.getMethod())) {`
`204`	`204`	`return Saml2Utils.samlInflate(b);`
`205`	`205`	`}`
`206`	`206`	`return new String(b, StandardCharsets.UTF_8);`